The P3P Validator Document

This document explains how the P3P validator checks the web page.
The validator users are supposed to read this document and understand
what was validated about their web site/page.

1. What is "Integrated Validation"?

To use this function, the user must give the URI of a web page
(which is called target URI in this document).
Then, this function checks if the target URI (web page) is compliant with P3P,
using the following procedure.

1.1 Get Policy Refernece File URI

P3P provides three following methods for the client to know the Policy
Reference File (PRF) URI:

Well Known Location File

HTTP Header

HTML link tag

The validator tries all three methods and get to know the PRF URI.

Well Known Location

Well Known Location is defined as /w3c/p3p.xml on the same site
of the target URI. The validator sends HTTP GET request to
well known location URI and checks if the PRF exists.

HTTP Header

The PRF URI can be specified with HTTP Header. The validator sends
the HTTP GET request to the target URI and checks if the
the response includes the following directive:P3P: policyref="some uri"
Also, the validator checks the compact P3P policy.

HTML link tag

When the target URI is an HTML document, the PRF URI can be specified with
HTML link tag. The validator retrieves the target URI's document and
checks if it includes the following directive:<link rel="P3Pv1" href="some uri">

1.2 Policy Reference File Check

After getting the PRF URIs, the validator checks if the PRF at the each URI
is valid with following steps:

Evaluate each POLICY-REF element in PRF from the top to down,
and find the Policy URI associated with the target URI.

Non-ambiguity Check

If more than one PRFs cover the target URI and specifies the
Policy URI, it is an error. Note that when different methods specify
the same PRF URI, it is OK (e.g. If both HTTP header and HTML link tag
specify /policyref.xml, it is OK).

Check if the P3P data elements in <DATA ref="..."> directive
are included in P3P Base Data Schema. Note that the validator does not recognize
the user's own data schema, and all data elements belonging to the user's data
schema will be warned.

Link Check

Check if URI references included in Policy are accessible. It includes:

discuri attribute of POLICY element.

opturi attribute of POLICY element.

service attribute of DISPUTES element.

src attribute of IMG element.

2 What is "Policy File Validation"?

This function does the same thing as 1.3.
The difference is that the user in the firewall can check his policy
file with File Upload button.

When File Upload feature is used and the policy file
includes relative links in it, the Link Check will be failed.